An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

Traitor Tracing with constant transmission rate

We introduce Attribute-Based Signatures (ABS), a versatile primitive that allows a party to sign a message with fine-grained control over identifying information. In ABS, a signer, who possesses a set of attributes from the authority, can sign a message with a predicate that is satisfied by his attributes. The signature reveals no more than the fact that a single user with some set of attributes satisfying the predicate has attested to the message. In particular, the signature hides the attributes used to satisfy the predicate and any identifying information about the signer (that could link multiple signatures as being from the same signer). Furthermore, users cannot collude to pool their attributes together.

We give a general framework for constructing ABS schemes, and then show several practical instantiations based on groups with bilinear pairing operations, under standard assumptions. Further, we give a construction which is secure even against a malicious attribute authority, but the security for this scheme is proven in the generic group model. We describe several practical problems that motivated this work, and how ABS can be used to solve them. Also, we show how our techniques allow us to extend Groth-Sahai NIZK proofs to be simulationextractable and identity-based with low overhead.

/pdf/attribute-based-signatures-1wwacem7li.pdf

Attribute-based signatures

In an attribute-based signature (ABS), users sign messages with any predicate of their attributes issued from an attribute authority. Under this notion, a signature attests not to the identity of the individual who signed a message, but a claim regarding the attributes the underlying signer possesses. In ABS, users cannot forge signatures with attributes they do not possess even through colluding. On the other hand, a legitimate signer remains anonymous without the fear of revocation and is indistinguishable among all the users whose attributes satisfying the predicate specified in the signature. ABS is useful in many important applications such as anonymous authentication and attribute-based messaging systems.In this paper, we propose two efficient ABS constructions supporting flexible threshold predicate by exploring a new technique for signature signing. Compared with existed schemes, the new constructions provide better efficiency in terms of both the computational cost and signature size. The first new construction is provably secure in the random oracle model, while the second construction does not rely on the random oracle assumption. To further reduce the trust on attribute authority, we also show an ABS construction with multiple attribute authorities. It is worth noting that the security of all the proposed constructions is not relying on generic group. As an illustrative application, we construct an efficient non-transferable access control system from ABS.

Attribute-based signature and its applications

In this paper we propose threshold attribute-based signatures (t-ABS). A t-ABS scheme enables a signature holder to prove possession of signatures by revealing only the relevant attributes of the signer, hence providing signer-attribute privacy for the signature holder. We define t-ABS schemes, formalize their security and propose two t-ABS schemes: a basic scheme secure against selective forgery and a second one secure against existential forgery, both provable in the standard model, assuming hardness of the CDH problem. We show that our basic t-ABS scheme can be augmented with two extra protocols that are used for efficiently issuing and verifying t-ABS signatures on committed values. We call the augmented scheme a threshold attribute based c-signature scheme (t-ABCS). We show how a t-ABCS scheme can be used to realize a secure threshold attribute-based anonymous credential system (t-ABACS) providing issuer-attribute privacy. We propose a security model for t-ABACS, give a concrete scheme using t-ABCS scheme, and prove that the credential system is secure if the t-ABCS scheme is secure.

/pdf/threshold-attribute-based-signatures-and-their-application-11er7tdjp5.pdf

Threshold Attribute-Based Signatures and Their Application to Anonymous Credential Systems

This paper presents a fully secure (adaptive-predicate unforgeable and private) attribute-based signature (ABS) scheme in the standard model. The security of the proposed ABS scheme is proven under standard assumptions, the decisional linear (DLIN) assumption and the existence of collision resistant (CR) hash functions. The admissible predicates of the proposed ABS scheme are more general than those of the existing ABS schemes, i.e., the proposed ABS scheme is the first to support general non-monotone predicates, which can be expressed using NOT gates as well as AND, OR, and Threshold gates, while the existing ABS schemes only support monotone predicates. The proposed ABS scheme is efficient and practical. Its efficiency is comparable to (several times worse than) that of the most efficient (almost optimally efficient) ABS scheme the security for which is proven in the generic group model.

/pdf/efficient-attribute-based-signatures-for-non-monotone-1be73qz067.pdf

Efficient attribute-based signatures for non-monotone predicates in the standard model

https://caislab.kaist.ac.kr/publication/paper_files/2010/infosci-jinli.pdf

Hidden attribute-based signatures without anonymity revocation

Ring signature was proposed to keep signer’s anonymity when it signs messages on behalf of a “ring” of possible signers. In this paper, we propose a novel notion of ring signature which is called attributebased ring signature. In this kind of signature, it allows the signer to sign message with its attributes from attribute center. All users that possess of these attributes form a ring. The identity of signer is kept anonymous in this ring. Furthermore, anyone out of this ring could not forge the signature on behalf of the ring. Two constructions of attribute-based ring signature are also presented in this paper. The first scheme is proved to be secure in the random oracle model, with large universal attributes. We also present another scheme in order to avoid the random oracle model. It does not rely on non-standard hardness assumption or random oracle model. Both schemes in this paper are based on standard computational Diffie-Hellman assumption.

/pdf/attribute-based-ring-signatures-3ghvp9x8mh.pdf

Attribute-Based Ring Signatures.

A new hierarchical identity based (ID-based) cryptosystem is proposed, including hierarchical identity based encryption (HIBE) and signature (HIBS) schemes. The new HIBE scheme can be proved to be secure without relying on the random oracle model. Then, a new public key encryption (PKE) scheme is constructed based on the new HIBE. It is secure against adaptively chosen ciphertext attacks (IND-CCA) and has many attractive properties, such as efficient key generation, short private key, fast encryption, and etc. Performance of the new PKE scheme is better than all the previous PKE schemes converted from IBE, and is competitive with the best provably secure solutions to date. Furthermore, a new HIBS scheme is also constructed, which shares the same parameters with the new HIBE. The new HIBS scheme is more efficient than the previous HIBS.

/pdf/a-new-hierarchical-id-based-cryptosystem-and-cca-secure-pke-5aoox0s2f3.pdf

A new hierarchical ID-Based cryptosystem and CCA-Secure PKE

This paper first introduces the concept of universal designated verifier ring signature (UDVRS), which not only allows members of a group to sign messages on behalf of the group without revealing their identities, but also allows any holder of the signature (not necessary the signer) to designate the signature to any designated verifier. According to whether the designator has a registered public key, two kinds of UDVRS are proposed. In order to distinguish the two types of UDVRS, we call it UDVRS Proof (UDVRSP) if the designator has not a registered public key, and this protocol is interactive. We give the formal security definitions and notions of UDVRS and UDVRSP. Then, we propose a UDVRS and a UDVRSP scheme, with rigorous security proofs without random oracles.

/pdf/universal-designated-verifier-ring-signature-proof-without-4w7mxf1m7k.pdf

Universal designated verifier ring signature (proof) without random oracles

An aggregate signature is a single short string that convinces any verifier that, for all 1 ≤ i ≤ n, signer i signed message mi, where the n signers and n messages are distinct. The main motivation of aggregate signatures is compactness. In this paper, the concept of aggregate proxy signature (APS) is first proposed to compact the proxy signatures. Furthermore, a concrete APS scheme is constructed, which can be proved to be secure under the security model of APS. Additionally, as an application of APS, the concept of verifiably encrypted proxy signature (VEPS) is also first proposed in this paper, which can be used in contract signing. The VEPS allows the original signer to delegate another to sign the contract on its behalf. Finally, a VEPS construction is derived from the APS, which can be easily proved to be secure from the security of APS.

Jin Li

Papers

Hidden attribute-based signatures without anonymity revocation

Attribute-Based Ring Signatures.

A new hierarchical ID-Based cryptosystem and CCA-Secure PKE

Universal designated verifier ring signature (proof) without random oracles

Aggregate proxy signature and verifiably encrypted proxy signature